Ransomware Surveys Fill In Scope, Scale of Extortion Epidemic

Half of all surveyed organizations have been hit with ransomware campaigns in the last year, many more than once

Some 50% of organizations have been hit with a ransomware infection in the last year, and of those, 85% have suffered from three or more attacks, according to a user survey conducted by security vendor SentinelOne.

As a result, 70% of respondents report an increase IT security spending, and 65% have changed their security strategies to focus on mitigation. More than half — 52% — say they've lost faith in their antivirus protection.

"It’s not surprising to see high levels of apathy towards traditional antivirus software, and we don't expect the ransomware epidemic to slow down anytime soon," says Jeremiah Grossman, chief of security strategy for SentinelOne, in a statement. "The situation is likely to get far worse, as some of the ill-gotten gains will be invested into research and development designed to improve encryption strength and utilize new delivery methods, as witnessed with Locky.”

Tis the season for vendors' ransomware surveys. PhishMe reports this week that developers of Locky ransomware have shown "creativity, agility, and adaptability" in their repeated improvements to the malware, frustrating the efforts of analysts, researchers and infosec professionals to prevent or mitigate attacks. And Cato Networks says that 73% of CIOs view defending against ransomware and other emerging threats as their top priority for 2017.

While few security pros would deny that ransomware is a growing problem, the trio of vendor reports begins to put the scope and scale of this malware epidemic into sharper contrast.

"Infosec professionals need to understand that ransomware leverages the current malware infrastructure, it's extremely easy to create, and it scales very well. It's also very lucrative for the bad guys," Grossman tells Dark Reading in a phone interview. Left unaddressed, the proliferation of ransomware threatens to mirror that of spam. "We have an opportunity now, but if we wait too long, ransomware's going to be everywhere," he adds.

Grossman also distinguishes between two kinds of ransomware attacks: indiscriminate and targeted. With indiscriminate campaigns, the bad guys know nothing about the content or value of the data they're encrypting. In a targeted attack, bad actors will go after a healthcare organization, for example, because it's literally life and death and widely assumed that they'll pay. "A couple weeks ago, a company was targeted and four hospitals had to reschedule patient operations while they dealt with ransomware infection," Grossman explains.

SentinelOne surveyed 500 "cybersecurity decision makers" at organizations with more than 1,000 employees in October 2016, including 200 people in the US, and 100 each in the UK, France, and Germany.

What can organizations do to protect themselves against this kind of extortion? One obvious preventive measure is performing regular data backups, so if an organization's servers or desktops get hit with a ransomware attack, they'll have unencrypted copies in reserve that allow them to carry on with business as usual. "One thing ransomware has done is inadvertently exposed the lack of backup data" on the part of end-users, Grossman explains.

It really comes down to patching, especially since browsers are getting hit with drive-bys; another protection is to monitor inbound attachments on email and to disable macros. "Should malware get into the system and start to execute, there's technology available that detects bad apps at runtime," Grossman recommends.

SentinelOne's survey highlighted other issues for companies hit with ransomware:

Company data most often affected by ransomware campaigns was financial data (52%), employee information (46%) and customer information (37%);

68% of respondents agreed that traditional security techniques can't protect organizations from the next generation of malware;

Most companies still assume responsibility for data breaches and ransomware attacks; only 42% say they would demand answers from their IT security vendors.

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

FWIW, virtualized sandboxing has been shown to be an effective countermeasure against ransomware -- and, indeed, that some forms of modern ransomware even actively scan for virtualized instances and decline to install if they find any (lest they be subjected to reverse engineering).

@Terry: The only way I see regulation having an impact here is if it regulates businesses in certain sectors (e.g., healthcare, financial services, etc.) to specifically refuse to pay ransoms or set limits on the amounts they can pay -- and make the penalties for paying ransoms so substantial that such businesses would be compelled to not so pay.

And, as such, those regulations would be completely unworkable. If a hospital's data is held ransom, human lives and limbs are at stake. If a financial services' firm or even a generic Fortune 50 firm is held hostage, the entire global economy is at stake.

If those working in public policy really want to make a difference here, the solution is not regulation or legislation but rather better investment in improving cybersecurity.

If you're using an OS based in the command line, whether Unix, old-school MS-DOS, or whatever, you naturally have to know much more about what's going on on your machine than the average MacOSX or Windows user. As such, you're more of a power user and in general will position yourself better.

An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...

In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.

In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...

Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.